Ji,
Thanks for testing and complete report.
First, a hint :
When you try and set default password, I don't know where you get the string 084cf5c804c917fa349e0012a443227 to set as new password value
but it may be more easy to enter password in clear text (admin) and set crypto to null
Second :
I hope that after changing the password through the application, when you try to reconnect, you use the password you entered in the application as new password, not the one stored in the db (cd0972eea8cbc92b1bc66224528306ca67532aa13724f1cf1f7944f5af5b9c06) as this one is result of encryption of the password
Last :
To have more clue, change in model/UserMain.php, line 1243 from
if ($this->crypto=='sha256') {
debugTraceLog("User->authenticate : sha256 encryption");
$expected=$this->password.getSessionValue('sessionSalt');
$expected=hash("sha256", $expected);
to
if ($this->crypto=='sha256') {
debugTraceLog("User->authenticate : sha256 encryption");
$expected=$this->password.getSessionValue('sessionSalt');
debugTraceLog("*** sha encrypted password ***");
debugTraceLog("stored password = ".$this->password);
debugTraceLog("session salt = ".getSessionValue('sessionSalt'));
$expected=hash("sha256", $expected);
Then, in browser, open console on network tab, and filter result on getHash
Try and reconnect (with refused password)
Look at response for last request getHask.php : the last word (after last
must be exactly the same as what you will find in the log file after "
DEBUG
session salt ="
If it's not the case, you have a session issue.